Autoruns Tutorial
NOTICE: All the tutorials on this website are meant to help you find security vulnerabilties on your own network and devices to understand your security posture before black hats do.
Penetration testing without a written consent is illegal and you can be prosecuted. Use these tutorials to secure your own networks or those whose permission you have been granted. Keep it ethical and keep it professional.
Table of Contents
Autoruns Introduction
Autoruns is a powerful utility in the Sysinternals suite of tools, developed by Microsoft. It is commonly used in cybersecurity for examining and managing the various programs and processes that automatically start on a Windows system during boot-up or login. Autoruns provides a comprehensive view of autostarting locations in the operating system, including entries in the registry, startup folders, and more.
It's important to note that while Autoruns is a powerful tool, it requires a good understanding of Windows internals and the ability to differentiate between legitimate and potentially malicious entries. In cybersecurity, it is often used in conjunction with other tools and methodologies to conduct thorough system analysis and incident response. Please exercise caution when making changes based on Autoruns findings to avoid disrupting critical system functionality.
You can download it as part of the sysinternals package in the windows store. Autoruns is used for the following;
- Identifying Malicious Software: Autoruns helps cybersecurity professionals and analysts to identify potentially malicious or unwanted software that may be configured to run automatically. Malware often tries to establish persistence by adding entries to autostart locations, and Autoruns can reveal these entries.
- Analysis of Startup Programs: Security analysts use Autoruns to review and analyze the list of programs that start automatically with the operating system. This is crucial for understanding the normal behavior of a system and for identifying any anomalies or suspicious entries.
- Rootkit Detection: Autoruns can be used to detect rootkits and other stealthy malware that may attempt to hide themselves by injecting into the startup process. By examining autostart locations, security professionals can uncover hidden or disguised entries.
- Digital Forensics: In digital forensics investigations, Autoruns is a valuable tool for examining the startup configuration of a system. It can assist in reconstructing the timeline of events and identifying any unauthorized changes or activities that may have occurred on the system.
- Managing System Configuration: System administrators and security professionals can use Autoruns to manage the configuration of autostart programs. This includes selectively enabling or disabling entries to improve system performance or troubleshoot issues.
Using autoruns
When you open the tool, you will first see all the items configured to run automatically on the "everything" tab.
There are multiple tabs that show different types of activities including Logon, Internet Explorer, Scheduled Task, Internet Explorer and other tabs all with things that run automatically.
For any process or file, you can right click and submit to virus total. You need to agree to the terms and conditions of Virus Total. After you agree you can submit the file and check the virus total column for results.
To disable something from running, you can uncheck it but make sure you know what you are doing. You can easily break your OS by stopping an important componet of the OS from starting. Trust me, I have done it before.Even safe mode did not help me.